Skip to Content

Privacy Policy

Last updated:10/11/2025

1. Who is responsible for data processing

Responsible: ZARTA BOX SL (“XONEBOX”)

NIF:B75545996

Address:Camiño Veiguiña 38, Gimnasio Nave, 36212 Vigo (Pontevedra), Spain

Contact email (privacy): info@xonebox.com

Tel.: 685 29 56 74

Website: www.xonebox.es

XONEBOX has not appointed a Data Protection Officer (DPO). For any privacy issues, please write to us at info@xonebox.com.

2. Why we process your data (purposes)

We process the data you provide and the data generated by your use of the Site for:

  1. Online sales and customer service

  • To manage yourregistration(optional) and customer area.

  • To process orders, payments, invoicing, shipping and returns/exchanges.

  • To respond to inquiries(form, email, phone) and after-sales/warranties.

  1. Custom products

  • To receive andproduce customisations(names, designs, logos or images you provide), managesketches/final artand print proofs.

  1. Fraud prevention and security

  • Reasonable controls to detect abuse, unauthorised access or fraudulent payments.

  1. Commercial communications(only if you consent or there is a prior relationship in accordance with the LSSI)

  • Sending of newsletters, news and promotions;basic segmentation(e.g., by purchase history or declared interest) to avoid sending you irrelevant messages.

  1. Usage analysis and improvement of the Site

  • Aggregated/anonymised statistics on browsing and performance (see theCookie Policyfor cookies and similar technologies).

  1. Legal compliance

  • Obligationstax, accountingandconsumer/warranty.

3. Legal bases (why it is lawful)

  • Execution of a contract(art. 6.1.b GDPR): online sales, orders, customisations, customer service.

  • Legal obligation(art. 6.1.c GDPR): invoicing, accounting and warranties.

  • Legitimate interest(art. 6.1.f GDPR): site security, fraud prevention, service improvement, communications about products similar to those already purchased (when permitted by law and with the option to object).

  • Consent(art. 6.1.a GDPR): newsletter and commercial communications not covered by prior relationship; certain cookies/tracking technologies.

You canwithdraw your consentat any time (without retroactive effect) andobjectto processing based on legitimate interest.

4. What data we process

  • Identification and contact:name, surname, NIF (if invoicing), address, email, phone.

  • Purchase/shipping data:products, sizes, amounts, delivery/billing address, order number.

  • Payment:

    • Card (Redsys):wedo notreceive your complete card details; the gateway processes them directly.

    • Transfer:we receive the necessary information to reconcile the payment (amount, holder and reference/order).

  • Personalisation:texts, names, logos, images or othercreationsthat you send us to manufacture your product.

  • Support and attention:communications and tickets.

  • Technical data for using the Site:IP, device identifiers, logs and analytics (see Cookies).

We do not requestspecially protected data. If you voluntarily provide it to us, we will only process it for the purpose you indicate and, if applicable, with your explicit consent.

5. Recipients (to whom we communicate data)

We share data only when necessary:

  • Technology providers(web hosting, e-commerce/ERP platform, transactional email, technical support).

  • Payment gateway Redsysandfinancial entities: collection management.

  • Logistics/carriers: delivery and returns.

  • Advisory/management: tax and accounting obligations.

  • Authorities and public bodieswhen there is a legal requirement.

Each provider acts asa data processorfollowing our instructions, or asan independent controllerwhen determining their own purposes and means (e.g., the financial entity/payment gateway in their scope). In that case, they apply their own privacy policies.

6. International transfers

In principle, we host and process data in theEEA. If we need to use providers located outside the EEA, we will ensureappropriate safeguards(e.g.,Standard Contractual Clausesfrom the European Commission and, where appropriate, additional measures). You can request details of countries and current guarantees by writing to info@xonebox.com.

7. Retention periods

  • Customers and orders:during the contractual relationship and, thereafter,legal commercial and tax periods(e.g.,up to 6 yearsfrom the last transaction or as applicable).

  • Commercial communications:until youwithdraw your consentor object.

  • Inquiries/support:the time necessary to resolve them and up to 1–2 years in case of incidents.

  • Customisations/art files:for as long as manufacturing and associated warranties last or until you request their deletion if there is no obligation to retain.

After the periods have elapsed, they willbe blockedand willbe deleted or anonymised.safely.

8. Rights of users

You can exercise, at any time andfree of charge:

  • Accessto your data.

  • Rectificationof inaccurate data.

  • Erasure(right to be forgotten) when applicable.

  • Restrictionof processing.

  • Portabilityof your data.

  • Objectionto processing based on legitimate interest (including marketing).

  • Withdrawal of consentfor consented processing.

How to exercise them:write to info@xonebox.com indicating the right you wish to exercise. If necessary, we may ask for information to verify your identity.

Complaint to the authority:if you are not satisfied, you can complain to theSpanish Agency for Data Protection (AEPD)at www.aepd.es.

9. Minors

  • If you areunder 14 years old, do not send us data without the consent of your legal representative.

  • Topurchaseon the Site you must beover 18 years old.

10. Security

We apply appropriatetechnical and organisational measuresto protect the data (encryption in transit, access controls, backups, logs and minimum access policies). Nevertheless, no transmission or storage is 100% secure; if you detect any incident, contact us at info@xonebox.com.

11. Cookies and similar technologies

We use our own and third-party cookies for technical, preference, analytical and, where applicable, advertising purposes. You can configure or withdraw your consent at any time through thebanner/preferences centre. More information in ourCookie Policy.

12. Information on personalised products and third-party rights

When you provide us with names, images, logos or designs to personalise products:

  • You guarantee thatyou have rightsor authorisation to use them.

  • We will use that materialonlytoproduceyour order and forrelated support/warranties.We may keep an operational copy

  • for the periods specified in section 7.operativa durante los plazos del apartado 7.

  • If the content includespersonal dataof third parties (e.g., a name or image), you commit to having obtained thenecessary legal basis(consent or otherwise) and to inform them of this Policy.

13. Automated decisions and profiles

We do not makeautomated decisionswith legal effects. We may carry outbasic segmentationfor communications (e.g., by categories of interest or previous purchases). You canobjectat any time.

14. Changes to the Policy

We may update this Policy to reflect legal or service changes. We will publish the current version with thedate of update. If the changes are substantial, we will notify you by reasonable means.

15. Contact

For questions or exercise of rights: info@xonebox.com (subject: “Privacy”).

Postal address:Camiño Veiguiña 38, Gimnasio Nave, 36212 Vigo (Pontevedra), Spain.